Even Responding to Fraud Allegations can be Risky

Last week a regional California medical center entered a $275,000 settlement for disclosing patient information to the media, spotlighting HIPAA’s tight reign over covered health providers even when they try to defend their reputations against fraud allegations. On June 13, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced a new settlement with Shasta Regional Medical Center (“SRMC”) related to the medical center’s use and disclosure of protected health information while attempting to rebut media reports of alleged Medicare fraud. The settlement includes a one-year corrective action plan covering 16 facilities and serves as a sharp reminder that under HIPAA, a covered entity often cannot use or disclose protected health information to respond to allegations without patient authorization, even if the information is publicly known or disclosed by a patient. The settlement stems from a 2011 media report alleging Medicare fraud. In response, SRMC allegedly disclosed protected health information to substantiate that it provided and billed for appropriate medical services. Senior leadership also allegedly sent an e-mail to its entire workforce and medical staff of 785 to 900 persons detailing the patient’s medical information in response to the media attention. According to the resolution agreement, SRMC also allegedly failed to sanction any employees for HIPAA violations related to the incident. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement.pdf Contact Siddel Law for advice on how to respond to Health Care Fraud Allegations